'\" t .\" Title: vfs_acl_xattr .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 10/14/2024 .\" Manual: System Administration tools .\" Source: Samba 4.21.1 .\" Language: English .\" .TH "VFS_ACL_XATTR" "8" "10/14/2024" "Samba 4\&.21\&.1" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" vfs_acl_xattr \- Save NTFS\-ACLs in Extended Attributes (EAs) .SH "SYNOPSIS" .HP \w'\ 'u vfs objects = acl_xattr .SH "DESCRIPTION" .PP This VFS module is part of the \fBsamba\fR(7) suite\&. .PP This module is made for systems which do not support standardized NFS4 ACLs but only a deprecated POSIX ACL draft implementation\&. This is usually the case on Linux systems\&. Systems that do support just use NFSv4 ACLs directly instead of this module\&. Such support is usually provided by the filesystem VFS module specific to the underlying filesystem that supports NFS4 ACLs .PP The vfs_acl_xattr VFS module stores NTFS Access Control Lists (ACLs) in Extended Attributes (EAs)\&. This enables the full mapping of Windows ACLs on Samba servers even if the ACL implementation is not capable of doing so\&. .PP The NT ACLs are stored in the \fIsecurity\&.NTACL\fR extended attribute of files and directories in a form containing the Windows SID representing the users and groups in the ACL\&. This is different from the uid and gids stored in local filesystem ACLs and the mapping from users and groups to Windows SIDs must be consistent in order to maintain the meaning of the stored NT ACL That extended attribute is \fInot\fR listed by the Linux command getfattr \-d filename\&. To show the current value, the name of the EA must be specified (e\&.g\&. getfattr \-n security\&.NTACL filename)\&. .PP This module forces the following parameters: .RS .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} inherit acls = true .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} dos filemode = true .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} force unknown acl user = true .RE .sp .RE .PP This module is stackable\&. .SH "OPTIONS" .PP acl_xattr:security_acl_name = NAME .RS 4 This option allows to redefine the default location for the NTACL extended attribute (xattr)\&. If not set, NTACL xattrs are written to security\&.NTACL which is a protected location, which means the content of the security\&.NTACL attribute is not accessible from normal users outside of Samba\&. When this option is set to use a user\-defined value, e\&.g\&. user\&.NTACL then any user can potentially access and overwrite this information\&. The module prevents access to this xattr over SMB, but the xattr may still be accessed by other means (eg local access, SSH, NFS)\&. This option must only be used when this consequence is clearly understood and when specific precautions are taken to avoid compromising the ACL content\&. .RE .PP acl_xattr:ignore system acls = [yes|no] .RS 4 When set to \fIyes\fR, a best effort mapping from/to the POSIX draft ACL layer will \fInot\fR be done by this module\&. The default is \fIno\fR, which means that Samba keeps setting and evaluating both the system ACLs and the NT ACLs\&. This is better if you need your system ACLs be set for local or NFS file access, too\&. If you only access the data via Samba you might set this to yes to achieve better NT ACL compatibility\&. .sp If \fIacl_xattr:ignore system acls\fR is set to \fIyes\fR, the following additional settings will be enforced: .RS .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} create mask = 0666 .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} directory mask = 0777 .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} map archive = no .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} map hidden = no .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} map readonly = no .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} map system = no .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} store dos attributes = yes .RE .sp .RE .RE .PP acl_xattr:default acl style = [posix|windows|everyone] .RS 4 This parameter determines the type of ACL that is synthesized in case a file or directory lacks an \fIsecurity\&.NTACL\fR xattr\&. .sp When set to \fIposix\fR, an ACL will be synthesized based on the POSIX mode permissions for user, group and others, with an additional ACE for \fINT Authority\eSYSTEM\fR will full rights\&. .sp When set to \fIwindows\fR, an ACL is synthesized the same way Windows does it, only including permissions for the owner and \fINT Authority\eSYSTEM\fR\&. .sp When set to \fIeveryone\fR, an ACL is synthesized giving full permissions to everyone (S\-1\-1\-0)\&. .sp The default for this option is \fIposix\fR\&. .RE .SH "AUTHOR" .PP The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.